3 Focus Areas for a Powerful Cyber Resilience Program

It’s an unfortunate truth that many organizations are just one bad day away from a world-shaking cyber event that has the potential to disrupt business operations, compromise sensitive data or, in some cases, threaten the viability of the business itself. Whether it’s a ransomware attack, a natural disaster or any other large-scale cyber incident, cyber resilience should be top of mind for every organization today.

There tends to be a lot of confusion surrounding what cyber resilience is and what it’s not. Does it simply mean ensuring that your organization is prepared for a cyberattack? The short answer is no.

Cyber resilience encompasses your organization’s ability to anticipate, withstand, recover from and adapt to any number of adversities that may compromise systems supported by cyber resources. Cyber resilience is a strategic approach that is intended to help enable and maintain business-critical objectives even in a challenging cyber environment under pressure. To be successful, it requires a programmatic approach that connects those business needs to the measures needed to enable resilience.

There are three areas to focus on when structuring your organization’s cyber resilience program:

For all of the investments in technical solutions, organizations are often highly dependent on key individuals to deliver the business services that rely upon that technology.

Think of the most senior, experienced members of your organization. Those are likely the go-to people tasked with handling crises. Now imagine what would happen if those people were unavailable or less effective. For those people to perform at the levels required for optimal resilience, they need two important skills: coherence and confidence.

Coherence is about being able to keep it together under pressure. The ability to continue operating at a high level while under pressure is an important skill for both individuals and teams in a crisis. Confidence refers to the belief that those people and teams have in themselves to deal with various types and levels of adversity.

For individuals, coherence and confidence may develop by successfully managing real-world adversity or through thorough training. When an individual is put under a great deal of stress, they learn how far they can bend to manage a crisis situation. Teams, on the other hand, must develop resiliency by determining how they work together to manage adversity.

Validating coherence and driving confidence among people and teams means putting them in situations where they’re forced to deal with real-world pressure. Lighter simulations, like tabletop exercises as part of incident response planning can be an effective way to start this process, as they represent an idealized response to pressure. More robust simulations like penetration tests or purple teaming are often more effective ways to gauge coherence and instill confidence, as they require your people and teams to determine how they work well together and where issues may arise during a crisis. 

However, as you put people and teams under pressure, it’s important to recognize that the resulting resilience is both temporary and narrow in scope. The resilience they display is based upon the situation that those people or teams have already experienced — but it does not extend to every possible situation.

For example, a team who successfully handles a data center power failure during a team exercise may have proven that they were prepared for that situation, but it doesn’t necessarily mean that the same team will be as resilient during a cybersecurity breach. At the same time, you never know how long this resilience will last, as it varies from individual to individual. As humans, we tend to forget the “bad things” that happen to us, meaning that we may forget the steps we took to deal with those situations as well. It’s very difficult to prove that an individual is resilient and will remain so at any given point in time.

Though not everyone reacts the same way under a stressful or pressure-filled situation, a resilient team is one that has learned to navigate adversity under a variety of stressful conditions. While this resilience is often temporary and fragile, periodically putting your people and teams to the test to ensure that they can navigate choppy waters is a great way to ensure that resilience remains top of mind.

In order for your processes to be considered resilient, they must allow your workflows to maintain integrity, flexibility and redundancy under high levels of stress without breaking. This may sound simple in theory, but most of the time, processes and workflows are simply not as resilient as we think they are.

Processes are typically built to be efficient and simple so that they’re cost-effective and easy to follow. They also tend to become highly mature, meaning they're very consistent and designed to be performed consistently along a single path. Think about any process in your organization today. The workflow is likely something along the lines of, “this happens, which means this happens next,” and so on. The problem with these types of processes is that while they may be very efficient, they’re not often flexible. If anything along that path breaks — one person forgets to send an email or notify another person of the next step, for example — there may not be an alternative process available, causing the whole workflow to break.

Consider the process of commuting to home and work the same way every day. You may have developed a simple, straightforward route (or workflow) comprising a few key turns or shortcuts and have determined the most efficient way home. However, what happens if there’s an interruption to this process? What if one of the roads is closed and no alternative detours exist? What if the car breaks down? While you’ve created a very efficient process that works well most of the time, if something goes wrong, the whole workflow breaks down. So, while the process may be efficient, it’s clearly not resilient. 

By the same token, highly resilient processes or workflow typically require significant effort to develop and maintain. A resilient process or workflow means that it’s built to withstand alternative paths that may never be used except under specific instances. Because building in this optionality is challenging and requires more resources, it also means that many in the organization will not be as comfortable with the alternative path. While this process may be very flexible and resilient, it’s not very efficient.

The trick is to balance the need for an efficient process with a process that also includes cost-effective alternatives in the event that there are interruptions to the process. Resilient processes and workflow will typically be defined and executed in several different ways in order to ensure that your organization achieves defined outcomes even if key individuals or systems are not working as intended.

Ideally, both processes and workflow should be flexible, meaning that they shouldn’t be dependent on one or two key aspects of the workflow functioning 100% of the time. At the same time, they should be efficient, able to be deployed quickly enough to respond to an incident immediately.

Modern disaster recovery planning, business continuity planning and cyber recovery planning are great ways to identify the areas within your processes and workflow that must be resolved to ensure that the processes can function with integrity, flexibility and efficiency in any adverse situation.

The final consideration for structuring a solid cyber resilience program should be your technologies and data. In order for your technologies and data to be considered resilient, they need to continue to be functional, usable and trustworthy under pressure, or be recovered quickly enough to minimize impact to the business.

When technologies and data are under pressure, they can “break” in several different ways. In some cases, broken data will also impede the function of the technology and vice versa. For example, in the case of disaster recovery, the process has historically involved recovering data in an alternate location, thereby “breaking” the technology in order for the data to continue to be functional. However, this process also assumes that the data recovered is trustworthy.

In some cases, like after a cybersecurity incident, data may become corrupted. This means that while the data may be functional and usable, it’s no longer trustworthy and should not be restored until it has been verified. Following a cyber event, three questions about data and technology must be answered immediately: Is it usable? Is it functional? Is it trustworthy? All must be true to be considered resilient.

Think of it like starting your car after an accident. If the car starts up, you can confirm that it’s technically functional. Whether or not it’s useful means checking to see if it’s operating as intended afterward. This means confirming its reliability. Do the brakes work? How about the power steering? You must be able to test the car’s functionality and fix issues as they arise to verify its level of usability and trustworthiness.

In an ideal world, your organization’s people, processes and technology are all resilient enough to handle pressure under all sorts of circumstances. However, we don’t live in an ideal world, so the challenges that arise from the costs associated with resilience, the level of difficulty in maintaining resilient processes and the fragile nature of human resilience mean that most organizations will need to pick and choose the areas where they need to focus their resilience.

How do you know where to focus your efforts?

Determining what constitutes an extinction-level event is a key step in defining what your minimum viable company (MVC) or minimum viable organization (MVO) may be. Which critical components are necessary to keep the company viable? In other words, if something defined as “critical” breaks under pressure and doesn’t cause the company to fail in its mission, then it’s likely not going to affect your organization’s minimum viability.  

Ultimately, maintaining this level of minimum viability will require building a resilient infrastructure, whether it’s self-managed, on-premises or in the cloud. Automation will also help maintain this level of minimum viability by ensuring that your technologies can scale under pressure, repairing any elements as soon as they’re broken, and verifying the trustworthiness of your data.

With a clear idea of minimum viability to focus investment, where should you start when structuring your organization’s cyber resilience program?

First, establish what is necessary to maintain viability and ensure that resilience efforts are focused on those components. Determine what steps are necessary to improve resilience in your people, processes or technology, then put together an appropriate plan to improve that resilience. A comprehensive analysis into your organization’s minimum viability business and technology requirements, as well as application and workload profiling will help establish the best places to focus your efforts.

Even after constructing an effective cyber resilience program, the work is truly never done. Regular testing exercises like tabletop and purple team exercises are an essential part of maintaining resilience by putting your people, processes and technology to the test. These exercises provide insight into your teams' and technologies' response to different types of attacks and pressures, allowing for timely identification and improvement of weak areas — all while encouraging coherence and instilling confidence.

Whether your organization already has cyber resilience or cyber recovery protections in place or not, all of this is made easier and more effective with the help of a partner that has deep expertise in security and cyber resilience. An expert partner like CDW offers a comprehensive suite of cyber resilience solutions tailored to meet your specific business needs, including strategic consulting to assess current vulnerabilities, the integration of cyber resilience solutions that enable faster detection and response to cyber incidents, development of incident response plans, execution of tabletop exercises and adversary simulation, and more.